The present invention relates to authentication in an on-line computer system, and more specifically to using user activity recognition to determine authentication of a user of the system.
Authentication of a user's identity to allow the user access to secure information is often carried out using two-factor authentication. Two-factor authentication identifies users through the combination of two different components. The components may be a physical object in the possession of the user, some secret known to the user or some physical characteristic of the user such as biometrics.
Mobile phones have been used as part of the two-factor authentication process. In this approach, the users who want to authenticate themselves on a computer system enter their personal access information (i.e. something that only the individual user knows) into the computer system. The computer system sends a one-time-valid, dynamic passcode consisting of digits or information to a mobile device associated with the user in the records of the computer system. The mobile device could be a mobile phone or tablet, and the passcode can be sent as text or embedded into a quick response (QR) code received on the mobile device. The code is may be sent to the mobile device by short message service (SMS) or via a special app.
The user would then need to enter the passcode sent to their mobile device to provide the information to an authentication query. Alternatively, an authentication code may be embedded into the headers (e.g. originating address) of the message sent to the mobile device, so that the user only needs to reply to the message in order to authorize and authenticate. Thus, current methods of two-factor authentication with a mobile phone requires manual effort/input from the user and can be bothersome to the user.
Authentication of the user may be carried out using other methods, such as detection of suspicious events. The suspicious events may be detected by tracking internet protocol (IP) addresses. If the user request comes from an unknown IP address, suspicious IP address, or from an IP address from a different geographical location, then the system may consider these events to be suspicious and require a second factor for authentication of the user.
The suspicious events may also be detected by tracking HTTP cookies. For example, when a webpage which requires authentication is accessed from a new device, the authentication sends a HTTP cookie to the server of the webpage to notify the website of the user's previous activity. When the user's activity does not match, for example authentication of the user's identity through a device was not previously used, a second factor for authentication to confirm the user's identity may be required.